While Ryuk and Sodinokibi may be high profile ransomware, it’s Stop, a hijacking bug that includes Djvu, that may be the most pervasive with dozens of versions plaguing users worldwide.
Emsisoft, a New Zealand-based security provider, has developed free decryption tools for Stop that it claims can help victims recover their files from a ransomware attack. With Stop's 160 versions, four main variants, more than 116,000 confirmed victims among an estimated half million cyber casualties and continually updated new versions, the defenders appear determined to punch back.
How does the Stop ransomware launch? It encrypts victims’ files with Salsa20, and appends one of dozens of extensions to filenames -- “.djvu”, “.rumba”, “.radman”, “.gero”, for example. Victims can unlock their files in exchange for a ransom demand as much as $1,000.
“We’ll be breaking Stop’s encryption via a side-channel attack on the ransomware’s keystream,” Emsisoft wrote in a blog post. It’s the first time the method has been used to recover ransomware-encrypted files on such a large scale, the security specialist said.
At this point, the tool can only recover files encrypted by 148 of the 160 variants. Emsisoft figures that will enable approximately 70 percent of victims to recover their data. For people affected by the remaining 12 variants, no solution currently exists. “We recommend that those who find themselves in this position archive the encrypted data in case a solution becomes available in the future,” Emsisoft said.
Stop’s geographic reach and penetration is daunting. According to Emsisoft’s Ransomware Statistics report for Q2 and Q3 2019, Stop accounts for more than half of all the ransomware submissions throughout the world. It’s most pervasive in Indonesia, India and the U.S. where it accounts for almost half of all submissions. In the past year, Emsisoft said, Stop has accounted for 54 percent of the top five ransomware strains and has been found in 71 percent of the top five detections in the past 60 days.
Here’s the text of a ransom note from the Stop ransomware attackers:
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.